Cyber and Information Security: Issues and Mitigation Measures

Introduction

Cybersecurity is a concept that comes with different responsibilities and consequences if breached. Governments, individuals, and businesses are exposed to various risks when it happens as it has been evidenced in the case of Hillary Clinton and Edward Snowden and his WikiLeaks’s project. To put the same into perspective, Reinicke (2018) explains that, cybersecurity breaches cost companies an average of $3.6 million per company. The White House (2018) explains that the U.S. economy lost an estimated $57-$109 billion in 2016. Ponemon Instute LLC (2017) explains that statistics show a 22.7% annual increase in the losses. Security breaches have been increasing at a rate of 27.4% annually. To this point, it is clear that cybersecurity just like physical security can be compromised and if so, it can threaten homeland security and massive investments that are critical to the economic survival of this country. This paper will identify different cyber and information security issues and prescribe potential solutions and practices that can be used to mitigate the risks associated with breaches.

Core Issues with Cyber and Information Security

This section will focus and elaborate the different issues that affect cyber and information security. The issues that will be given preference include disgruntled employees, careless and uninformed employees, handling of mobile devices, use of cloud-based applications, unpatched and unpatchable devices, and lastly, third-party service providers.

Disgruntled employees are the main cause of worry among companies and governments. For instance, Edward Snowden was a disgruntled former CIA employee and former contractor for the American government, who copied and leaked classified information for the NSA. .According to Colwill (2009), of particular focus are employees in the IT department or those with knowledge and access to important infrastructures, such as data centers, networks, admin accounts, and the entire IT infrastructure. Additionally, an article by Corbin (2015) suggested that the famous hacking of Sony was an inside job perpetrated by Sony’s disgruntled employees and not operatives from North Korea as the public was made to believe. Whether true or not, the fact that disgruntled employees know important information, they pose a significant threat to the cyber and information security of organizations.

Employees might be careless with their gadgets, and passwords either consciously or unconsciously. If it happens unconsciously, employees might be doing it out of ignorance and lack of sufficient information about the significance of information security. For instance, employees might have weak passwords or visit unauthorized websites. They might also open suspicious emails or attachments that might be malware. According to Simmonds (2018), information security culture in an organization is very critical in ensuring cybersecurity.

Use of mobile devices by employees to access information systems is a threat to cyber and information security. Statistics indicate that more than 68% of security breaches in companies across the globe can be attributed to mobile security breaches (Thales Security, 2018). When employees are allowed to bring their own devices to work, they expose their companies’ network to risk since such devices can be used to install malware and Trojan software that can access the company’s information systems.

Cloud applications, unpatched and unpatchable devices can be used as access points by malware to infiltrate information systems. According to Rao and Selvamani (2015), challenges posed by cloud-based applications include data leaks, identity and access management, and data segregation and protection. Unpatched and unpatchable devices such as routers, servers, printers, and other network devices that employ software and firmware in their operations are vulnerable. The devices are exploitable in the networks and attackers can use them to gain access to information systems. Use of devices that do not have security updates or patches often exposes organizations to risks. For instance, Patrizio (2015) reported that Microsoft would not be supporting Window Server 2003. The implications of this are that organizations using the servers would no longer receive patches or security updates for their software. In this case, such organizations are left vulnerable to attackers.

Third party service providers are often brought in by companies as outsourced resources to support the development and maintenance of systems. The providers often use remote access tools to connect to the company’s networks and might not be interested in following the best security practices. For instance, providers might use the same default password to access all their client’s networks. According to Observe IT (2014), about 40 million Target customers data was wiped by hackers who accessed their system using their sub-contractor-HVAC. The same happened to Subway when hackers stole customer credit card data using subcontractor account, and Sony was hacked and 77 million user accounts were compromised. The same happened to the South Carolina Department of Revenue and tax, data belonging to 6.4 million taxpayers were compromised (Observe IT, 2014). These statistics show the integral role of subcontractors in data security.

Potential Solutions and Best Practices to Mitigate the Risk Associated with Breaches

To ensure that disgruntled employees do not expose the security of the information systems of companies or organizations, all privileged accounts and credentials should be terminated. This strategy will ensure that such accounts are no longer able to access the company using their previous credentials. The system should be capable of creating alerts and keep a log of activities.

Employees who are ignorant about cyber and information security should be sufficiently trained to ensure that they are capable of employing best practices and learn how to protect themselves online. Organizational systems need to be capable of logging out employees after some idle time and prompt them to log in, as well as change passwords regularly. The system should force employees to use strong passwords, which should be difficult for scammers to learn. Sufficient resources should be provided to employees to ensure that they have the knowledge and means to deter threats. Data should be sufficiently encrypted to ensure that it is not accessible to outside parties.

For employees who are allowed to bring their own devices to the workplace, sufficient policy development, implementation, and sensitization should be ensured. The policies should be periodically reviewed to ensure that they are reflective of the changing cyberspace topography. The company should monitor emails and documents to ensure that they are authentic and cannot be used as conduits for allowing malware into the company’s servers. Such monitoring is important in ensuring that the organization is capable of defining its risk factors. With mobile security solutions, organizations need to implement mobile security solutions. Business applications and business data should be separated to ensure that corporate content, credentials, and other important configurations are always encrypted. All vulnerable points of entry should have multiple layers of control to reduce the propensity of attacks. Encryption of data that is bound to cloud storage needs to be given prominence to ensure that any third party is prevented from accessing the systems even if such cloud-based applications are hosted in public clouds.

Organizations using network devices and servers requiring patching need to implement patch management programs, which will ensure that all devices and servers are up to date. To manage this implementation effectively, a vulnerability management technology is important. It will identify vulnerable areas and will show outdated equipment and servers. Irreparable equipment should be taken offline. The company should have sufficient inventory of all software hosted in a given server to ensure that a time of downgrade or upgrade is well planned to avoid inconveniences or loss of data.

Third parties need to be sufficiently identified to ensure that they access the system when it is known. Security best practices such as the use of multifactor authentications or unique credentials are important. A company using third-party services should ensure that it has logs, which provide an audit trail of what each user did.

Conclusion

Security of information systems is critical to the success of all businesses. Businesses and all forms of organizations need to be sure of the safety of their information systems. Clearly, cyber and information security is an activity that is continuous and requires the use of regularly updated tools and knowledge. Organizations cannot escape the responsibility of investing in security. Disseminating information to employees is important since such employees provide an important gateway for attackers. Exit procedures for employees must be implemented to ensure that angry employees do not expose the organizations to cybersecurity risks. Third parties need to be handled carefully to ensure that they are not points of attack.

References

Corbin, K. (2015, January 15). Sony Hack Is a Corporate Cyberwar Game Changer. CIO.com Retrieved from https://www.cio.com/article/2871672/cybercrime/sony-hack-is-a-corporate-cyberwar-game-changer.html

Colwill, C. (2009). Human factors in information security: The insider threat–Who can you trust these days?. Information security technical report, 14(4), 186-196.

Observe IT. (2014). Strangers in your Servers: Make Working with IT Contractors More Secure. Retrieved from https://www.ten-inc.com/presentations/ObserveIT-Remote-Vendor-Monitoring.pdf

Patrizio, A. (2015). Are You Ready for the End of Windows Server 2003? CIO.com. Retrieved from https://www.cio.com/article/2872512/windows/are-you-ready-for-the-end-of-windows-server-2003.html

Ponemon Instute LLC. (2017). Cost of Cyber Crime Study: Insights on the Security Investments that Make a DIfference. Accenture.com. Retrieved from https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf

Rao, R. V., & Selvamani, K. (2015). Data security challenges and its solutions in cloud computing. Procedia Computer Science, 48, 204-209.

Reinicke, C. (2018, June 21). The biggest cybersecurity risk to US businesses is employee negligence, study says. CNBC News. Retrieved from https://www.cnbc.com/2018/06/21/the-biggest-cybersecurity-risk-to-us-businesses-is-employee-negligence-study-says.html

Simmonds, M. (2018). Instilling a culture of data security throughout the organisation. Network Security, 2018(6), 9-12.

Thales Security. (2018). 2018 Thales Data Threat Report: Trends in Encryption and Data Security. Retrieved from http://go.thalesesecurity.com/rs/480-LWA-970/images/2018-Data-Threat-Report-Global-Edition-ar.pdf

The White House. (2018). The Cost of Malicious Cyber Activity to the US Economy. Retrieved from https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf